09-13-2013 04:11 AM
Hi,
I have a quick question around the SSL certificate for 2x S170 devices I am installing.
Can I purchase 1 certificate and use it on both devices or are 2 seperate certificates required.
Both of the Proxy servers go through a firewall and are not NAT'd.
Are there any specifics required for the certificate?
09-13-2013 08:08 AM
Technically, you can use the same cert on both WSA's.
Whether you can use the same cert on multiple machines is more a function of the license from the cert provider... some state that you have to purchase the right to use it in more than one place...
It has to be a signing cert, as what the WSA is doing is issuing a new cert that "mimics" the one on the webserver your user is access.
09-14-2013 12:57 AM
Do not purchase any certificates as you will likely receive a Server Certificate (not a Root Certificate).
If a trusted CA were to provide you with a Root signed by Verisign for example, you can in turn compete with their business and start signing/selling Server Certificates. There is no way that they can control what you would sign. You can start signing fradulent certificates and there is nothing that they can do to stop you other than revoking it which browsers do not check by default.
I have yet to see anybody get a Root signed by a trusted CA. If anybody has obtained one, please do let me know.
The only known ways to obtain a Root for the HTTPS proxy is to either:
a) generate one
b) extract it/generate it from an internal trusted CA.
-Vance
09-19-2013 02:32 AM
The trick was to create a sub-CA from our internal Cert Server.
Couldn't find any specific documentation on doing this on a WSA. There is however documentation online for competitors.
09-20-2013 08:59 AM
We currently use self signed as we do not have an in house CA. I followed the guide here:
09-05-2014 11:34 AM
Hi,
Can you folks please help me? I've one s170 and I would like to enable the HTTPS Proxy and I'm having trouble to upload the certificate to the appliance.
till now what I've done is Enable HTTPS Proxy --->Use Generated Certificate and Key---->Download Certificate Signing Request
and open my root authority server web page --->request a new certificate--->past the content of the s170 generated file
and I receive the certificate tried to upload the certificate to the proxy and one error is generated .
hope someone can help me.
kind regards,
Alcides
09-09-2014 07:33 AM
I've just posted about this exact thing in a different thread:
https://supportforums.cisco.com/discussion/11804801/2048-bit-key-ironport-wsa-https-proxy
Hope that helps you.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide